Full Report
In a statistical report published in September 2024 by the Federal Bureau of Investigation (FBI), it was revealed that more than US$55 billion was lost to business email compromise (BEC) attacks between October 2013 and December 2023. This profitability drives attackers to further their techniques and adapt to security filters.
Analysis Summary
# Incident Report: Rise of Email Marketing Platforms in BEC Attacks
## Executive Summary
This analysis details the evolving tactics used in Business Email Compromise (BEC) attacks observed throughout 2024, specifically noting the increasing reliance by threat actors on legitimate email marketing platforms (mass mailers) for bulk distribution. While traditional webmail providers remain the primary source for BEC spam, the use of platforms like SendGrid and Mailjet allows attackers to leverage established sender reputations and sophisticated delivery features to bypass traditional spam filters and execute highly targeted, customized invoice fraud lures.
## Incident Details
- Discovery Date: Data analyzed corresponds to submissions received throughout 2024.
- Incident Date: Ongoing threat analysis throughout 2024.
- Affected Organization: Various organizations targeted globally (no specific victims detailed, analysis based on MailMarshal submissions).
- Sector: Various (Analysis references general threats, though a related report mentions Energy and Utilities).
- Geography: Global reach implied by mass mailer platforms.
## Timeline of Events
### Initial Access
- Date/Time: During 2024 submissions.
- Vector: Email delivery via legitimate third-party mass mailing services.
- Details: Attackers utilized Email Marketing Platforms (e.g., Mailjet, SendGrid, Mandrill) instead of singular webmail accounts to distribute BEC spam.
### Lateral Movement
- N/A (This summary details the delivery mechanism, not post-compromise network activity).
### Data Exfiltration/Impact
- Impact: Financial loss driven by invoice fraud—victims were baited into making payments on purported overdue invoices from impersonated suppliers or executives (Multi-Persona Impersonation).
### Detection & Response
- Detection: Analysis based on approximately 12,000 MailMarshal submissions for 2024.
- Response actions taken: Monitoring, statistical reporting, and public awareness dissemination regarding these evolving spam sources.
*Specific organizational response to individual incidents is not detailed.*
## Attack Methodology
- Initial Access: Email Marketing Platforms (Mass Mailers) abused for bulk delivery.
- Persistence: Leveraging the infrastructure and established reputation of major email service providers or marketing platforms.
- Privilege Escalation: Targeting specific employees (e.g., finance departments) via social engineering (invoice transaction lure).
- Defense Evasion: Exploiting vendor guides on crafting emails to avoid spam filters, combined with bulk sending capabilities to overwhelm defenses.
- Credential Access: Not explicitly detailed, focus is on social engineering for financial transfer rather than credential theft.
- Discovery: Attacks commonly use known invoice numbers and impersonate established third-party suppliers or company executives (Multi-Persona Impersonation).
- Lateral Movement: N/A (Focus on initial entry via email).
- Collection: Customizing email content (recipient names, associated brands/invoices) via platform APIs or interfaces.
- Exfiltration: Direct financial loss via fraudulent wire transfers resulting from the BEC lure.
- Impact: Financial compromise based on successful invoice manipulation.
## Impact Assessment
- Financial: Over US$55 billion lost annually to BEC attacks between 2013 and 2023 (contextual data), suggesting high financial risk from these campaigns.
- Data Breach: Specific data exfiltration volume not specified; primary impact is financial fraud via invoice manipulation.
- Operational: Potential disruption due to investigation and remediation following a successful fraudulent payment.
- Reputational: Risk associated with being associated with email impersonation or payment fraud, though the analysis focuses on the attacker toolkit.
## Indicators of Compromise
- Network indicators: Use of legitimate bulk sender IP ranges associated with Email Marketing Platforms (e.g., SendGrid, Mailjet).
- File indicators: N/A (Focus on email content and headers).
- Behavioral indicators: Emails utilizing common BEC lures such as "ZoomInfo Invoice {invoice number} - Approved for payment" or variations thereof, sent from mass mailer domains.
## Response Actions
- Containment measures: Not detailed for specific campaigns; general security reminder issued.
- Eradication steps: Not detailed.
- Recovery actions: Not detailed.
## Lessons Learned
- Attackers are actively adapting by moving away from easy-to-block free webmail providers toward sophisticated, bulk-sending commercial platforms to increase delivery success.
- Email Marketing Platforms provide attackers scalable features: bulk sending, automation, and API customization, which mirror legitimate marketing uses.
- Attackers utilize vendor guidance on spam evasion to ensure their malicious emails successfully land in intended inboxes.
## Recommendations
- Enhance email gateway security to detect anomalies in traffic originating from known Email Marketing Platforms that exhibit characteristics of BEC (e.g., urgent financial requests, invoice attachments/references).
- Implement stricter verification procedures for all financial transactions initiated via email, especially those referencing invoices or executive requests.
- Monitor outgoing mail logs for internal systems that may be leveraged or abused to send bulk communications, mimicking platform usage.